<meta charset="utf-8">
(#) Mutable Implicit PendingIntent is disallowed

!!! ERROR: Mutable Implicit PendingIntent is disallowed
   This is an error.

Id
:   `MutableImplicitPendingIntent`
Summary
:   Mutable Implicit PendingIntent is disallowed
Severity
:   Error
Category
:   Security
Platform
:   Android
Vendor
:   Android Open Source Project
Feedback
:   https://issuetracker.google.com/issues/new?component=192708
Since
:   8.2.0 (November 2023)
Affects
:   Kotlin and Java files
Editing
:   This check runs on the fly in the IDE editor
Implementation
:   [Source Code](https://cs.android.com/android-studio/platform/tools/base/+/mirror-goog-studio-main:lint/libs/lint-checks/src/main/java/com/android/tools/lint/checks/PendingIntentMutableImplicitDetector.kt)
Tests
:   [Source Code](https://cs.android.com/android-studio/platform/tools/base/+/mirror-goog-studio-main:lint/libs/lint-tests/src/test/java/com/android/tools/lint/checks/PendingIntentMutableImplicitDetectorTest.kt)

Apps targeting Android 14 and above are not allowed to create
`PendingIntents` with `FLAG_MUTABLE` and an implicit intent within for
security reasons.

To retrieve an existing PendingIntent, use `FLAG_NO_CREATE`. To create a
new `PendingIntent`, either make the intent explicit, or make it
immutable with `FLAG_IMMUTABLE`.

!!! Tip
   This lint check has an associated quickfix available in the IDE.

(##) Example

Here is an example of lint warnings produced by this check:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~text
src/test/pkg/PendingIntentJavaTest.java:10:Error: Mutable implicit
PendingIntent will throw an exception, follow either of these
recommendations: for an existing PendingIntent use FLAG_NO_CREATE and
for a new PendingIntent either make it immutable or make the Intent
within explicit [MutableImplicitPendingIntent]
    PendingIntent.getActivity(null, 0, new Intent(), PendingIntent.FLAG_MUTABLE);
    ----------------------------------------------------------------------------
src/test/pkg/PendingIntentJavaTest.java:11:Error: Mutable implicit
PendingIntent will throw an exception, follow either of these
recommendations: for an existing PendingIntent use FLAG_NO_CREATE and
for a new PendingIntent either make it immutable or make the Intent
within explicit [MutableImplicitPendingIntent]
    PendingIntent.getBroadcast(null, 0, new Intent("TEST"), PendingIntent.FLAG_MUTABLE);
    -----------------------------------------------------------------------------------
src/test/pkg/PendingIntentJavaTest.java:13:Error: Mutable implicit
PendingIntent will throw an exception, follow either of these
recommendations: for an existing PendingIntent use FLAG_NO_CREATE and
for a new PendingIntent either make it immutable or make the Intent
within explicit [MutableImplicitPendingIntent]
    PendingIntent.getService(null, 0, mIntent, PendingIntent.FLAG_MUTABLE);
    ----------------------------------------------------------------------
src/test/pkg/PendingIntentJavaTest.java:14:Error: Mutable implicit
PendingIntent will throw an exception, follow either of these
recommendations: for an existing PendingIntent use FLAG_NO_CREATE and
for a new PendingIntent either make it immutable or make the Intent
within explicit [MutableImplicitPendingIntent]
    PendingIntent.getActivities(null, 0, { new Intent(), mIntent }, PendingIntent.FLAG_MUTABLE);
    -------------------------------------------------------------------------------------------
src/test/pkg/PendingIntentKotlinTest.kt:10:Error: Mutable implicit
PendingIntent will throw an exception, follow either of these
recommendations: for an existing PendingIntent use FLAG_NO_CREATE and
for a new PendingIntent either make it immutable or make the Intent
within explicit [MutableImplicitPendingIntent]
    PendingIntent.getActivity(null, 0, Intent(), PendingIntent.FLAG_MUTABLE)
    ------------------------------------------------------------------------
src/test/pkg/PendingIntentKotlinTest.kt:11:Error: Mutable implicit
PendingIntent will throw an exception, follow either of these
recommendations: for an existing PendingIntent use FLAG_NO_CREATE and
for a new PendingIntent either make it immutable or make the Intent
within explicit [MutableImplicitPendingIntent]
    PendingIntent.getBroadcast(null, 0, Intent("TEST"), PendingIntent.FLAG_MUTABLE)
    -------------------------------------------------------------------------------
src/test/pkg/PendingIntentKotlinTest.kt:13:Error: Mutable implicit
PendingIntent will throw an exception, follow either of these
recommendations: for an existing PendingIntent use FLAG_NO_CREATE and
for a new PendingIntent either make it immutable or make the Intent
within explicit [MutableImplicitPendingIntent]
    PendingIntent.getService(null, 0, mIntent, PendingIntent.FLAG_MUTABLE)
    ----------------------------------------------------------------------
src/test/pkg/PendingIntentKotlinTest.kt:14:Error: Mutable implicit
PendingIntent will throw an exception, follow either of these
recommendations: for an existing PendingIntent use FLAG_NO_CREATE and
for a new PendingIntent either make it immutable or make the Intent
within explicit [MutableImplicitPendingIntent]
    PendingIntent.getActivities(null, 0, listOf(Intent(), mIntent), PendingIntent.FLAG_MUTABLE)
    -------------------------------------------------------------------------------------------
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Here are the relevant source files:

`src/test/pkg/PendingIntentJavaTest.java`:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~java linenumbers
package test.pkg;

import android.app.PendingIntent;
import android.content.Intent;
import android.net.Uri;

public class PendingIntentJavaTest {
  Uri mUri;
  protected void test() {
    PendingIntent.getActivity(null, 0, new Intent(), PendingIntent.FLAG_MUTABLE);
    PendingIntent.getBroadcast(null, 0, new Intent("TEST"), PendingIntent.FLAG_MUTABLE);
    Intent mIntent = new Intent("TEST", mUri);
    PendingIntent.getService(null, 0, mIntent, PendingIntent.FLAG_MUTABLE);
    PendingIntent.getActivities(null, 0, { new Intent(), mIntent }, PendingIntent.FLAG_MUTABLE);
  }
}
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

`src/test/pkg/PendingIntentKotlinTest.kt`:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~kotlin linenumbers
package test.pkg

import android.app.PendingIntent
import android.content.Intent
import android.net.Uri

class PendingIntentKotlinTest {
  val mUri: Uri
  fun test() {
    PendingIntent.getActivity(null, 0, Intent(), PendingIntent.FLAG_MUTABLE)
    PendingIntent.getBroadcast(null, 0, Intent("TEST"), PendingIntent.FLAG_MUTABLE)
    val mIntent = Intent("TEST", mUri)
    PendingIntent.getService(null, 0, mIntent, PendingIntent.FLAG_MUTABLE)
    PendingIntent.getActivities(null, 0, listOf(Intent(), mIntent), PendingIntent.FLAG_MUTABLE)
  }
}
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

You can also visit the
[source code](https://cs.android.com/android-studio/platform/tools/base/+/mirror-goog-studio-main:lint/libs/lint-tests/src/test/java/com/android/tools/lint/checks/PendingIntentMutableImplicitDetectorTest.kt)
for the unit tests for this check to see additional scenarios.

(##) Suppressing

You can suppress false positives using one of the following mechanisms:

* Using a suppression annotation like this on the enclosing
  element:

  ```kt
  // Kotlin
  @Suppress("MutableImplicitPendingIntent")
  fun method() {
     getActivity(...)
  }
  ```

  or

  ```java
  // Java
  @SuppressWarnings("MutableImplicitPendingIntent")
  void method() {
     getActivity(...);
  }
  ```

* Using a suppression comment like this on the line above:

  ```kt
  //noinspection MutableImplicitPendingIntent
  problematicStatement()
  ```

* Using a special `lint.xml` file in the source tree which turns off
  the check in that folder and any sub folder. A simple file might look
  like this:
  ```xml
  &lt;?xml version="1.0" encoding="UTF-8"?&gt;
  &lt;lint&gt;
      &lt;issue id="MutableImplicitPendingIntent" severity="ignore" /&gt;
  &lt;/lint&gt;
  ```
  Instead of `ignore` you can also change the severity here, for
  example from `error` to `warning`. You can find additional
  documentation on how to filter issues by path, regular expression and
  so on
  [here](https://googlesamples.github.io/android-custom-lint-rules/usage/lintxml.md.html).

* In Gradle projects, using the DSL syntax to configure lint. For
  example, you can use something like
  ```gradle
  lintOptions {
      disable 'MutableImplicitPendingIntent'
  }
  ```
  In Android projects this should be nested inside an `android { }`
  block.

* For manual invocations of `lint`, using the `--ignore` flag:
  ```
  $ lint --ignore MutableImplicitPendingIntent ...`
  ```

* Last, but not least, using baselines, as discussed
  [here](https://googlesamples.github.io/android-custom-lint-rules/usage/baselines.md.html).

<!-- Markdeep: --><style class="fallback">body{visibility:hidden;white-space:pre;font-family:monospace}</style><script src="markdeep.min.js" charset="utf-8"></script><script src="https://morgan3d.github.io/markdeep/latest/markdeep.min.js" charset="utf-8"></script><script>window.alreadyProcessedMarkdeep||(document.body.style.visibility="visible")</script>